Thursday, January 10, 2019

OCI―Knowing Identity and Access Management Basics

OCI Level 100 - Identify and Access Management (demo starts at 29:00)

The Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) service lets you control who has access to your cloud resources (see Figure 1). You can control what type of access a group of users has and to which specific resources.The service enables you to enforce the security principle of least privilege by default. New users are not allowed to perform any actions on any resources until they are granted with appropriate permissions.

Figure 1.  Oracle Cloud Infrastructure Architecture

Key Concepts/Components


IAM uses/implements below key concepts/components:
  • Resource
    • Includes compute instancesblock storage volumesvirtual cloud networks (VCNs)subnets, and route tables
    • Each OCI resource has a unique Oracle Cloud ID (OCID)
    • A resource can't be reassigned to a different compartment after creation (exception: Buckets)
  • Tenancy
    • Is equivalent of an account
      • Oracle automatically creates your company's tenancy for you
    • Provisioned with a single, top-level compartment called the root compartment
      • Root compartment contains all of your organization's OCI resources. 
  • Compartment
    • Logical container used for organizing and isolating cloud resources
      • Each resource is in exactly one compartment[3]
        • But, resources can be connected/shared across compartments
      • Can be deleted or renamed after creation 
      • Can have sub compartments nested up to 6 levels deep
        • Sub compartments inherit access permissions from compartments higher up its hierarchy
    • Holds a collection of related resources
      • Root compartment
        • Directly within the tenancy are IAM resources like:
          • usersgroupscompartments, and some policies
      • Other compartments created by you
        • Within your created compartments inside the tenancy are other types of cloud resources:
          •  instances, virtual networks, and block storage volumes
  • Principal
    • Is an IAM entity that is allowed to interact with OCI resources
    • Includes IAM users and instance principals
      • Instance principals let instances (and applications) to make API calls against other OCI services removing the need to configure user credentials or configuration files
  • User
    • An individual that needs to manage or use OCI resources
      • Might need to launch instances, manage remote disks, work with virtual cloud network, etc. 
    • Users can be created and given console passwords to use the web console and/or API signing keys to use the REST API and SDKs
    • User must be placed in groups to be given access to cloud resources
      • A new user has no permissions until you place the user in one of more groups and there's at least one policy that gives that group permission to either the tenancy or a compartment
  • Group
    • A collection of users who all need the same type of access to a particular set of resources or compartment
      • Users can be members of multiple groups
    • Used to grant privileges to cloud resources
      • A group has no permissions until you write at least one policy that gives that group permission to either the tenancy or a compartment
  • Policy
    • A document that specifies who can access which resources, and how. 
    • Access is granted at the group level and compartment level
      • You can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself. 
      • If you give a group access to the tenancy, the group automatically gets the same type of access to all the compartments inside the tenancy.
    • Some policies are directly within the tenancy and some are within your created compartments inside the tenancy
  • Home Region
    • The region where your IAM resources reside. 
      • IAM resources (compartments, users, groups, and policies) are global. So, you can access them across all regions.
        • However, the master set of definitions resides in a single region, the home region
    • You make changes to your IAM resources in your home region, and the changes are automatically propagated to all regions.
Figure 2. OCI Compartments (Tenancy: Root Compartment)

Policies 


OCI authorization specifies various actions an authenticated Principal can perform.  You can define specific privileges (in policies) to be associated with authenticated principals using groups.  Lets recap the default behaviors of IAM service:
IAM service enables you to enforce the security principle of least privilege by default. New users are not allowed to perform any actions on any resources until they are granted with appropriate permissions using policies.

Policies are comprised of one or more statements which specify what groups can access what resources and what level of access users in that group have .  They are written in human-readable format: 

Allow group <group_name> to <verb> <resource-type> in tenancy <tenancy_name>
Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>]

Example: 

Allow group NetworkAdmins to manage virtual-network-family in tenancy
Allow group ProjectA_Admins to manage all-resources in compartment ProjectA_compartment
Allow group ObjectWriters to manage objects in compartment demo where any  {reqeuest.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'}
ALLOW GROUP AnalyticsAdmin TO READ compartments IN TENANCY
ALLOW GROUP AnalyticsAdmin TO READ virtual-network-family IN TENANCY

For more information, see Example Scenario and How Policies Work.

Figure 3.  Permissions granted using Policy statements

Resource Locations


Below we have summarized where OCI resources are located and from where you can access them:

Service
Resource
Location
Notes
IAMUsers,Groups, Polices, Compartments, API Signing KeysGlobal
ComputeImagesRegion
InstancesADInstances can be attached only to volumes in the same AD
VolumesAD
Volume backupRegionBackups can be restored as new volumes to any AD within the same group
DatabaseDB SystemsAD
NetworkVirtual Cloud Network (VCN)Region
SubnetAD
Security Lists Route TableRegion
Dynamic Routing Gateway (DRB)Region
Customer Premises Equiptment (CPE), Internet GatewayRegion
Load Balancer Load Balancer
Region

Object Storage Buckets
Region
Bucket is a regional resource but it can be accessed from any location as long as correct region-specific URL is used.

Sorted by scope, here is another summary:
  • Global
    • IAM 
    • Key Vaults, Keys
    • DNS
  • Availability Domain
    • Subnet
    • Compute instances
    • Block Volume
    • DB Systems
    • File System (& Mount Target)
    • Ephemeral Public IPs
  • Regional


References

  1. Identity and Access Management (OCI)
  2. Oracle’s Next Generation Cloud Infrastructure
  3. Oracle Cloud Infrastructure Fundamentals
  4. More articles on OCI (XML and More)
  5. Common Policies (OCI)
  6. Managing Dynamic Groups (OCI)

No comments: